-
Notifications
You must be signed in to change notification settings - Fork 189
/
Copy pathnginx.conf.template
277 lines (241 loc) · 8.75 KB
/
nginx.conf.template
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
################################################################################
# Telescope NGINX config template. We use NGINX as our default router,
# receiving all traffic on 80/443 and forwarding it to our front-end and
# back-end services.
#
# NOTE: this is a template vs. final conf file, and meant to be used with Docker
# in order to replace the TELESCOPE_HOST, API_HOST, and PORTAINER_HOST variables
# with values from the env. See the section "Using environment variables in
# nginx configuration (new in 1.19)" in:
#
# https://hub.docker.com/_/nginx
#
# A lot of this is based on the following amazing resources:
# - https://github.com/h5bp/server-configs-nginx
# - https://www.digitalocean.com/community/tools/nginx
################################################################################
# Run as a unique, less privileged user for security reasons.
# Default: nobody nobody
# https://nginx.org/en/docs/ngx_core_module.html#user
# https://en.wikipedia.org/wiki/Principle_of_least_privilege
user nginx;
# Let nginx pick how many worker processes to run (based on CPU cores)
worker_processes auto;
# Maximum number of open files per worker process.
# Should be > worker_connections.
# Default: no limit
# https://nginx.org/en/docs/ngx_core_module.html#worker_rlimit_nofile
worker_rlimit_nofile 8192;
events {
# Number of simultaneous client connections we can handle per worker
worker_connections 8000;
# Reduce CPU load (requires Linux 2.6 or later)
use epoll;
}
http {
# Use utf-8 for the charset on our content-type headers
charset utf-8;
# Don't send version number in the "Server" response header.
server_tokens off;
# Serve resources with proper MIME type
include mime.types;
# Log errors and warnings to this file
# This is only used when you don't override it on a `server` level
error_log /var/log/nginx/error.log warn;
# Log access to this file
# https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log
access_log /var/log/nginx/access.log;
# Default to binary data if we can't map the type
default_type application/octet-stream;
# Update charset_types to match updated mime.types.
charset_types
text/css
text/plain
text/vnd.wap.wml
text/javascript
text/markdown
text/calendar
text/x-component
text/vcard
text/cache-manifest
text/vtt
application/json
application/manifest+json;
# Improve the efficiency of writes
sendfile on;
# Don't send out partial frames; this increases throughput
tcp_nopush on;
# Enable gzip compression
gzip on;
# Compression level of 5 to find a balance between CPU and size (levels are 1-9)
gzip_comp_level 5;
# Don't compress anything that's already small
gzip_min_length 256;
# Compress data even for clients that are connecting to us via proxies
gzip_proxied any;
# Tell proxies to cache both the gzipped and regular version of a resource
# whenever the client's Accept-Encoding capabilities header varies;
gzip_vary on;
# Compress all output labeled with one of the following MIME-types.
# NOTE: `text/html` is always compressed by gzip module.
gzip_types
application/atom+xml
application/geo+json
application/javascript
application/x-javascript
application/json
application/ld+json
application/manifest+json
application/rdf+xml
application/rss+xml
application/vnd.ms-fontobject
application/wasm
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/eot
font/otf
font/ttf
image/bmp
image/svg+xml
text/cache-manifest
text/calendar
text/css
text/javascript
text/markdown
text/plain
text/xml
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
# levels - Defines hierarchy levels
# keys_zone - Name for these settings
# inactive - Cached data that are not accessed during the time specified by the inactive parameter get removed from the cache regardless of their freshness
# max_size - When this size is exceeded, it removes the least recently used data
# use_temp_path - Use a temp directory before moving all cached files into the cache directory
proxy_cache_path /tmp/nginx levels=1:2 keys_zone=telescope_cache:10m inactive=60m max_size=100M use_temp_path=off;
proxy_cache_key "$scheme$request_method$host$request_uri";
# SSL
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_certificate /etc/letsencrypt/live/${TELESCOPE_HOST}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${TELESCOPE_HOST}/privkey.pem;
# Following SSL configs are from https://ssl-config.mozilla.org/ (Intermediate)
# Types + size of caches storing session params
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
# HSTS
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling we can verify this by using the site
# https://www.digicert.com/kb/ssl-support/nginx-enable-ocsp-stapling-on-server.htm
ssl_stapling on;
ssl_stapling_verify on;
# Verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/${TELESCOPE_HOST}/chain.pem;
# Requests to the Portainer app
server {
listen 443 ssl http2;
server_name ${PORTAINER_HOST};
# Allow WebSocket connections
location /api/websocket/ {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_pass http://portainer:9000/api/websocket/;
}
# All other traffic can get proxied directly.
location / {
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_pass http://portainer:9000/;
}
# Let's Encrypt route
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
}
# Requests to the oauth2-proxy which redirect to supabase studio app once authenticated
# Configuration reference: https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/tls/
server {
listen 443 ssl http2;
server_name ${SUPABASE_HOST};
location / {
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_pass http://oauth2-proxy:8080/;
}
# Let's Encrypt route
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
}
# Requests to the api.* domain should be proxied to Traefik
server {
listen 443 ssl http2;
server_name ${API_HOST};
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-for $remote_addr;
# We run Traefik via Docker on port 8888
proxy_pass http://traefik:8888;
}
# Let's Encrypt route
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
}
# Default server redirects traffic on 80 to 443, prefer secure connection
server {
listen 80 default_server;
server_name _;
return 307 https://$host$request_uri;
}
# Front-end and Legacy Back-end node.js app are served here
server {
listen 443 ssl http2;
server_name ${TELESCOPE_HOST};
# Let's Encrypt route
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Redirect traffic from /deploy/* to the autodeployment server
# extra slash for accepting all request_uri e.g. /deploy/status
location /deploy/ {
proxy_cache_bypass 1;
proxy_pass https://${TELESCOPE_HOST}:4000/;
}
location /docs {
root /usr/share/nginx/html;
}
# Static next.js front-end
location / {
# Directory from which we serve Next's static content
root /var/www/data;
# 1. next.js' Built Static Assets (JS bundles) can be cached forever.
# see https://github.com/vercel/next.js/blob/27555c8ef9b06ff71e245e086db191103ecd2026/packages/next/next-server/server/next-server.ts#L592
location /_next/static {
expires max;
add_header Cache-Control "public, max-age=31536000, immutable";
}
# 2. Don't cache HTML
location ~* \.(?:html)$ {
add_header Cache-Control "public, max-age=0, must-revalidate";
}
# 3. Don't cache the service worker /sw.js script
location = /sw.js {
add_header Cache-Control "public, max-age=0, must-revalidate";
}
# 4. Cache custom styles we use in the front-end for a day
location /styles {
add_header Cache-Control "public, max-age=86400";
}
# Try serving static content, and if not found continue with @proxy
try_files $uri $uri/ @proxy;
}
}
}